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ABSTRACT 

In 2000, an attractive new quantum cryptography was discovered by H.P.Yuen, which can realize secure 
communication with high speeds and at long distance by conventional optical devices. Recently, a criticism 
of the Yuen protocol, so called Y-00, was made by Nishioka, and Imai group (Mitsubishi and University of 
Tokyo), and they claimed Y-00 is essentially a classical stream cipher. This paper shows that the claim is 
incorrect. In particular, it is shown that the relation 1+ — Ti © fej, which is their basis for attack, has no 
essential role for any security analysis. In addition, we give a brief introduction of the general logic for the 
security of Y-00 as direct encryption and also for key generation. 

Several industries have started to make a test-bed of Y-00 for digital optical fiber highway, following 
Kumar's leading work. We hope that this discussion encourages experimental works which realize a secure 
communication against quantum computer and quantum attacks based on physical principle. 
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1. INTRODUCTION 

A quantum key distribution or generation scheme for two legitimate users(Alice and Bob) is one of the most 
interesting subjects in quantum information science, which was pioneered by C.Bennett and G. Brassard in 
1984[1]. In addition, several variations for the key generation protocol have been proposed[2]. We emphasize 
that such results are great achievement and open a new science. Many researchers believe that the key 
distribution by single photon is on the verge of commercial application. However we should take into account 
the fact that the societies of electronics and communication, and of cryptography are basically not interested 
in the practical use of quantum cryptography based on single photon schemes. Although there is no means 
of solving such a serious argument, we would like to make the following comment. The key distribution or 
generation is a very important, but it is very narrow sense that one defines quantum cryptography by only 
BB-84 and similar principle. Yuen, Kumar, and their group have pointed out that the quantum cryptography 
should involve other aspects, and called quantum information scientist's attention to quantum cryptography 
based on another principle. It is clear that the single photon based BB-84 have serious performance limita- 
tions[3], such as possible communication distance and key rate, if the customer wants to use them at modern 
digital communication network so called super digital highway. The research like Gisin's work[4] to cope with 
such limitations and coherent state based BB-84 should be encouraged, and also research like Northwestern 
University's group to investigate another scheme for achieving the same function should be welcome. So we 
would like to support both types of research. 

The purpose of this paper is to make a comment on the recent paper of a criticism[5] to the Yuen protocol. 
In cryptography, trials of attack to proposed protocol are essential. So consideration of attack on Y-00 is 
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welcome. But one should follow the basic principle of the proposed protocol, before to attack it. In this 
sense, the Nishioka ct al attacks[5] basically is not grounded on an appropriate theory. As a result, there is 
misunderstanding on the Yuen protocol. We will clarify their mistakes in this paper. To reader who ask for 
more fruitful results, we recommend reference [6]. 

2. YUEN PROTOCOL:Y-00 
2.1. General representation of Y-00 

In 2000, the basis of the present Y-00 was proposed, which is a new kind of quantum cryptography based on 
a different principle[6, 7]. In 2002, several concrete implementations have been realized[8, 9]. In these papers 
it is called ar] scheme. Let us mention first what is basic concept in their idea. There are many fundamental 
theorems in quantum information theory. The most important theorem for information processing of classical 
information by quantum states is the following: 

Theorem 1: 

Signals with nonorthogonal states cannot be distinguished without error and optimum lower bounds for error 
rate exist. 

This means that if we assign nonorthogonal states for bit values 1 and 0, then one cannot distinguish 1 
and without error. When the error probability is 1/2 based on quantum noise, there is no way to distin- 
guish them, from quantum detection theory [10]. On the other hand, in the quantum case, one has to take a 
quantum attack into account. So one needs the well known quantum no-cloning theorem. 

Theorem 2: 

Nonorthogonal states cannot be cloned without error. 

A fundamental requirement of secure communication is, first, to establish that the channel between Alice 
and Eve is very noisy, but the channel of Alice and Bob is kept as a normal communication channel by 
physical structure. To realize it, Yuen employed a combination of a shared short key for the legitimate users 
and a kind of stream cipher with specific modulation scheme, following the above two theorems. We note 
that a main idea in his protocol is the explicit use of a shared short key and physical nature of scheme for 
cryptographic objective of secure communication and key generation. And also, one can say that the origin 
of security comes from receiver performance with versus without key. 

According to his paper, the application of Y-00 is, first, a direct encryption stream cipher in conventional 
cryptography, and then to extend to key generation, but not one-time pad which is very inefficient. Here we 
emphasize that one should employ different security criteria for direct encryption and key generation. For 
direct encryption with unavoidable channel noise, the criteria are given as follows. 

Criteria of security: 

(a) Ciphertext-only attack on data and on key: To get plaintext or key, Eve knows only the ciphertext 
from her measurement. 

(b) Known/chosen plaintext attack: To get key, Eve inserts her known or chosen plaintext data into 
modulation system( for example, inserts all sequence as text). Then Eve tries to determine key from 
input-output. Using the key, Eve can determine the data from the ciphertext. 

For key generation, unconditional security is preferable. 

Here let us introduce a structure of Y-00. The data bit is modulated by M-ary keying driven by pseudo 
random number generator. The M-ary keying has M different basis based on 2M coherent states. So the 
data bit is mapped into one of 2M coherent states randomly. In general, the quantum information system 



is described by a density operator. The density operator of the output of the coding/modulation system of 
Y-00 as seen by the attack for ciphertext-only individual attack is 

Pt = PoPo +P1P1 (1) 

where 

Po = 5Z«jl«j>(«jl ( 2 ) 

Pi = ^2qk\atk)(atk\ (3) 

The probability pi depends on the statistics of the data, and qj , qk depend on the pseudo random number 
with j, and k being even and odd number, for example. Eve has to extract the data from the quantum 
system with such a density operator. However, according to one of the most fundamental thcorcm(theorem 
1) in quantum information theory the accuracy of Eve's measurement is limited. For ciphcrtcxt only attack, 
the best way of Eve is of course given by the quantum optimum detection for two mixed states :po and pi. 
That is, the accuracy of measurement of Eve is as follows: 

P e = min(piTr/9irio + poTrp Ui) (4) 

As shown in references [8,9], the error probability of Eve as determined by the quantum limit is <~ 1/2 from 
the appropriate choice of the number M and signal energy. It means that Eve's data is completely inaccurate. 
In addition, a Overlap Selection Keying-.OSK. was proposed in references [11,12], based on the discussion with 
Yuen. Each set of basis state is used for {1,0}, and {0, 1}, depending on sub running key. 

Set A x : -> |a(i)), 1 -» |a( M +i)) 
Set A 2 :0 -> \a {M+1) ), 1 -» |a (1) ) 

The density operators of 1 and for Eve are p\ = po- So Eve cannot completely estimate information bits. 
This is an advantage of the OSK. For known/chosen plaintext attack, Eve knows the data. So the best way 
for Eve is to detect 2M pure coherent states which convey directly running key sequence. In this case, the 
accuracy of the data is also given by the quantum detection for 2M pure coherent states[10,ll,12] and the 
data involve unavoidable error given by 

P e = min(l - ^piTrpiUi) (5) 

For appropriate M and signal energy we have P e ~ 1. As a result, Eve's data involves unavoidable error 
even in any attack schemes, and she cannot get any meaningful information. 

Thus, Y-00 is a new type of quantum cryptography based on quantum detection theory. That is, the 
security is guaranteed by quantum noise, but the system can be implemented by conventional devices. As 
quantum advantage, Y-00 provides secrecy against quantum computer and quantum attacks. We can summa- 
rize the property of Y-00 as follows: 

Direct encryption 

In the cipher-text only attack, Y-00 may exceed the classical Shannon limit. That is, 

H[X\Y E ) > H(K) (6) 

where X is information, Ye is ciphertext as "measured value" for Eve, and K is initial seed key. Even with 
H(K \Ye, X) = 0, intuitively the search complexity is between 2l- ftr 'and 2 2 ' 1 in Y-00, \K\ <~ 100. For known 
plaintext attack, it will be expected that 

H{K\Y E ,X) >0 (7) 



which corresponds to information theoretic security. 



As a result, Y-00 may provides information-thcorctically secure scheme with very efficient performance 
for direct encryption. 

Key generation 

The condition for secure key generation is 

H(X\Y E ,K) >H(X\Y B ) (8) 

where Yb is Bob's observation with knowledge of the seed key. Recently it has been claimed that the key 
generation scheme using Y-00 with several randomizations can be unconditionally secure[6]. 

In order to realize the above performance, several new randomizations will be introduced in reference [6] . 
2.2. Classical Y-00 

We would like to show additional property of Y-00 here. The structure of Yuen protocol is formed by 
physical processes with specific modulator performance and so on. This means that the protocol is different 
with conventional cryptography formulated by mathematical concept, even the scheme is constructed by 
devices based on classical physics. It is called "physical cryptography". Since the protocol is constructed 
by combination of physical processes, one can devise a new randomization that is possible with physics to 
increase the security. As a result, Y-00 may have better performance than conventional cryptography even 
the system is classical one. That is, to our surprise, this is a new type of stream cipher in the classical limit 
even in conventional cryptography. Then the security of Y-00 is enhanced by classical noise and also quantum 
nature of the system. These facts are essential in order to understand Y-00. 

3. THE ATTACK ON Y-00 

Recently Nishioka et al[5]have given an attack scheme on Y-00 as key generation scheme based on a relation 
of M-ary coding. But the original paper[8,9] of Y-00 is of direct encryption. Thus, although it involves many 
misunderstanding, in this section we try to use their scheme by the correct way in order to check whether it 
has a sense as an attack on Y-00. Then we will point out that the proposed attack scheme is meaningless even 
if the system is a completely noiseless classical system, and also basis(Eq(9)) of their claim has no essential 
role for Y-00. 

3.1. Noiseless classical system 

Their logic is that one can neglect the noise effect by choosing appropriate indirect observable for the data 
bit, and it reduces to less noisy or classical noiseless model. Then by combination of one-time pad for classical 
communication process, the security of the total system is equivalent to conventional stream cipher. It seems 
that their claim is that Y-00 corresponds to a classical cryptosystem, because H(X\Ye) < H(K) up to H{K) 
which means that there is no possibility of key generation, i.e, obtaining a new key from X statistically 
independent of K , even when the data is information-theoretically secure. 

Although their logic is not grounded on an appropriate theory, here we can verify their misunderstand. 
Let us show their scheme. In order to clarify the essential point, we employ one mode classical M-ary phase 
shift keying signals. That is, we do not need quantum signals(coherent state and so on). Here we use their 
notations. The attack scheme to classical Y-00 can be summarized as follows: The phase sift keying scheme 
used in Y-00 of reference [8] is taken to be 

k = n® h (9) 

on the phase space, where li is one of two regions separated by appropriate basis on the phase space. 

If the appropriate axis is horizontal axis, l is upper plain, li is down plain, is true random data bit. 
hi is for even number and 1 for odd number in the running key of M-ary assignment. Eq(9) indeed holds 



as the coding scheme in the original scheme. For example, 



(k = up, ki — even) — ► r = 1 

(up, odd) — > r = 

(down, even) — ► r = 

(down, odd) — ► r = 1 



Let us define the sequences of numbers I, r, k as follows: 



L = (h,l 2 ,h,...) (10) 
R = (n,r 2 ,r 3 ,...) (11) 
A" = (k u k,h,---) (12) 



First we analyze direct encryption based on their scheme. Let K, and N be an initial key with length 
\K\, and length \N\ of pseudo random number, respectively. The essential point of their attack is to measure 
indirect observable L. However, since the observable does not contain the information of the data bit, they 
are asked to use the Brute force attack for key to find a correct sequence of the data. Here we can define 
that 1Zj\ is a set of data random number sequence with the length of \N\. Alice sends a sequence Rt in TZj\, 
and it is coded based on Eq(9) with a Kj, j <E 2\ K \. The proposed attack requires the measurement of L. 
Here k of L depends on the axis selected on phase space at the first step. Here, let the horizontal axis be 
the selected axis. So U is up or down. {C+,C_} in the attack scheme in their paper correspond to {even 
and odd}. Kj corresponds to pseudo random number sequence which has a number of possibilities of 2\ K \ 
and the length |iV|. Let Rt, Lt, Kt be true sequences used and defined on the phase space for Alice and 
Bob. Let L m be the measurement result. She tries to assign all kind of Kj to her measured sequence L m . 
So she gets a set TZe based on k = n (B h. If L m is error free, then it is guaranteed that one of TZe is the 
true random bits sequence. At this stage, we can say H(X\Ye) = H(K). So it is information-theoretically 
secure. Here, if there is one bit error in L m by some reasons, then Eve has Lt © e, where e = (0, 0, 1, 0, 0, . . .) 
is error sequence. The position of the error is unknown and uniformly distributed. When Eve applies Kj, 
j G 2' K I to Lt © e, then it is not guaranteed that the true Rt exists in TZe- Since Eve does not know the 
true random bits sequence, she has to try 2 2 ^ greater than the initial one in the sense of exponential. If 
there are many error, then it becomes ~ 2 2 ' K '. So one may obtain Eq(6). 

Since Y-00 is a physical cryptography, we should clarify the physical nature. Let us discuss a property of 
physical system of M-ary PSK coding scheme as a physical cryptography. In general, phase spaces of Alice- 
Bob and Alice-Eve are not same. The phase space is formed by the relative phase based on local phases of 
Bob and Eve. For example, quadrature amplitudes are {x c = A cos(</>g — 4>L(Bob))^ x s — A sin(0s — 0l(b O 6))}, 
{x c = Acos(4>s — <pL{Eve)), x s = A sin(05 — <f>L(Eve))}- The Eq(9) is defined for the phase space of Alice-Bob. 
They assumed that Eve has the same phase space with that of Alice-Bob. In general Eve does not know the 
correct phase space. Because, the channel for Alice and Bob has synchronization, but the channel between 
Alice and Eve does not have the same synchronization. This fact is one of characters of physical cryptography. 
So Eve never understands what is the axis decided by herself, and she never knows what kinds of {C_, C+} 
should be used. As a result, TZe involves many errors, even when the measurement itself of U is noiseless. 
Since obtained data are random number, she has no way to know which bits are incorrect. If the period of 
the pseudo random number is 2'^' as in the case of a maximum length linear feedback shift register, then 
the number of possibilities is ~ 2 2>K> which is greater than 2^1. 

Also the above physical situation provides information-theoretic security for known plaintext attack based 
on their attack. Of course, if one uses DSR(delibcratc signal randomization) discussed in the next subsection, 
then more effectively the security is proved. 

For the key generation, the original paper did not claim. But Nishioka et al made a new model as follows: 
Eve does not assign Kj, j E 2^ K \ at the first stage, and they forge a new model so called one-time pad scheme 



used Y-00 which was not totally mentioned in the original paper. In their model, they use the relations as 
follows: 



Ci £B 1% — Xi © ki 



(13) 
(14) 



where Ci is ciphertext, Xi is plaintext. The random number R as the key disappears. Eve can get Cj and li, 
but she does not know ki. At this second stage, Eve tries to assign to the Eq(9) all the different running keys 
in which the number of possibilities is 2 1 K I . As a result, they claim that the security of Y-00 is equivalent 
to that of classical stream cipher C — P K run , where K run is the output of the pseudo random number 
generator in stream cipher. However, this scheme does not work by the same reason as that for the first 
stage. 

For a general concept of quantum key generation, we will discuss in the section 4. 
3.2. Randomization 

In general, one uses several randomizaions in conventional cryptography. We have randomizaion for the pro- 
tection of Y-00 for the above attack, even the system is noiseless. The DSR(dcliberate signal randomization) 
is one of the most effective method. Although it is easy to show that the initial key advantage hides the basic 
axis of phase space(refer communication theory and [13]), here we dare to take a perfect synchronization of 
Alice, Bob, and Eve at the initial stage of the protocol. Then the system is completely noiseless classical 
one. Since they insist that the system is regarded as classical when they measure indirect observable, they 
can use Eq(9). However, for such an attack scheme, we can use 



where F is forced randomization which destroy the phase synchronization. This is one of DSR explained in 
the reference [6]. Such a randomizations induces error for the measurement of L rn and destroy the relation 
like Eq(9). So Eve's access information from the measurement: L m is completely zero. That is, Eve's trial 
becomes from Kj,j G 2^1 to 2 2 ' ' which means search trial for each bit in the sequence of length 2^1. 

If Eve has only attack such as Eq(9), then this classical Y-00 for ciphertext only attack is already secure 
in the sense of Eq(6) and it makes secure scheme(Eq(8)) for known plaintext attack even in the noiseless 
classical framework. So no quantum computer can break this scheme. As a result one can see that the attack 
used Eq(9) has no gain even in the noiseless classical Y-00. Again, this means that if Eve has only such an 
attack, then we do not need a quantum scheme to achieve " our purpose" . 

3.3. Effect of quantum noise in up-down measurement 

In the original experiment by Kumar's group, they did not use the randomization for simplicity. Even so, it 
will be secure for the above mentioned attack. In the framework of their claim, let us show that the error 
of the measurement for k is unavoidable, even if they have complete synchronization for phase space. The 
density operators of signal sets for up and down measurement are 



We calculated the quantum limit, which is the most rigorous lower bound of error probability, for this signal 
when the coherent state is mesoscopic and several hundreds of M . As a result, the error is several percents: 
P e ~ 0.01. This means that the number of error bits is P e x 2^1 3> 1 which is enough for protect against 
the proposed attack with Brute force attack. In addition, in the system of Northwestern University, M is 
over 2000. So if one does not know the running key, the measurement of L would involve errors for a bundle 
of states close to selected axis by Eve. Since the basis state of Alice is chosen randomly and uniformly 
on the circle of phase space, the error bits of the measurement sequence L m will be distributed uniformly. 
The security based on search is strongly enhanced even in their model. Thus the attack based on indirect 
measurement cannot overcome the security for direct measurement based on quantum detection theory[10]. 
However, before we discuss quantum effect, rather their attack is broken by classical randomization et al.. 



L®F=R®K 



(15) 




(16) 



4. QUANTUM Y-00 WITH INFORMATION-THEORETIC SECURITY 

Let us remind that if Eve wants to make a situation 



H{X\Y E ) < H(K) (17) 

Eve has to get complete information for the sequence by measurements, not for U. Nishioka et al do not 
mention the concrete measurement process they use. This is very strange and their second mistake. If they 
want to use compound relative of the measurement for the data and Eq(9), then they should show how to 
measure it. For any cases, the accuracy of Eve's measurement is bounded by quantum detection theory In 
the previous section, we focused on only the attack scheme given by Nishioka et al. There is more general 
description of the security of Y-00 independent of any concrete attacks, based on quantum detection theory. 
In the following, we introduce the general one. 

If Eve wants to know some information on the data bits, she has to measure the signals by any instrument. 
In Y-00 of the original model, the problem of the measurement ability reduces to the comparison with optimum 
binary quantum measurement and optimum phase measurement. Since Eve does not know K, she needs to 
make the phase measurement in order to identify X for all possible basis selection from the running key. 
According to the quantum detection theory, when Eve and Bob have the ultimate ability(ultimate receiver 
devices, and so on), their error probabilities may be shown that [6] 

P e B ~ exp(-4S) vs P e E ~ exp(-2S) (18) 

where S =< n > is signal energy. Thus the error probability of Bob is smaller than that of Eve. This fact 
gives an advantage distillation, so it leads to information-theoretic security and key generation even one does 
not need to use any randomizations. That is, Eq(8) holds. 

On the other hand, the randomizations provide more efficient scheme, as an example, 

P e B ~ exp(-2S") vs P e E ~ exp(-S") (19) 

where S' ~ 10 or reasonable value with DSR for S =< n >^> 1. The above explanations, in principle, beat 
off a comment such that Y-00 corresponds to classical cryptography. 

5. CONCLUSION 

We clarified that the criticism of Yuen protocol by T. Nishioka, T.Hasegawa, H.Ishizuka, K.Imafuku, and 
H.Imai is wrong, and the attack does not say anything for Y-00. However, the security of Y-00 is a different 
problem. But one can see reference [6] and subsequent papers for general theory. The author's group is 
concerned with how to realize Y-00 with ultimate security by intensity modulation/direct detection optical 
communication system as discussed in [11,12]. 
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